Create single file with CNA/ADP information and update with CVE repository data

[jayjacobs]

Right now there are two fields in a CVE record for every CNA, an "org ID" and "short name".

The only "available" data on CNAs is buried in the website repository at:
https://raw.githubusercontent.com/CVEProject/cve-website/dev/src/assets/data/CNAsList.json

It does not appear to have the "org ID" field.

There was a recent addition with the following data: https://www.cve.org/cve-partner-name-map.json that includes the org ID but then only the name (not the short name) of the CNA.

I propose there is a process to generate and publish a single json file (or other data store) that contains all available and appropriate information for both the CNAs and ADPs, And that this file be included with the CVEs in the CVEListv5 repository and kept current and relevant.

[bjedwards]

A couple other pieces of information that would be "nice to have":

• Date organization became a CNA
• Current organization status
  • There are currently CVEs in the CVEListv5 that are assigned CNAs that do not exist in above files, e.g. @hunterdev
  • These may be CNAs who are no longer active, or belonged to organizations who already had CNAs
• Date when any status change took place.

Might be other stuff, would love to have others add something.

[mprpic]

This requires further discussion between QWG and AWG since it touches both the site as well as CVE Services, and potentially a data schema that would have to be defined for this data.

What we need here now is a set of use cases that this data would fulfill if it were to be available in a standard API or included in the cvelist in some way.

[zmanion]

Possible first step/improvement:

1. add "org ID" to CNAsList.json so that all CNA IDs are in this file (shortName, cnaID, organizationName, and assignerOrgId
2. put CNAsList.json under revision control, maybe in the cvelistV5 repository
3. add some fields as noted above, if they can be clearly defined and the data obtained and managed (like start date and end date)
4. include ADPs, so maybe the file name(s)/langauge should be about "partners" and not just "CNAs"

[jayjacobs]

This was discussed in the AWG on 2024-10-23 and requested that use cases be added.

• The primary use case for having a clear (and preferably historical) connection between the CNA (or ADP) and the records is one of attribution. Being able to understand who the owner is (and hopefully was) at creation and subsequent modifications enables multiple downstream use cases.
  • Tracking and providing feedback to entities that influence (good/bad) data quality.
  • Tracking general activity and participation in the CVE program (not just in record creation/maintenance but also when they join the program)
  • Useful for forecasting individual CNA contributions moving forward (e.g. https://dl.acm.org/doi/fullHtml/10.1145/3492328)
  • Having various metadata fields about the entity helps assign labels and aggregate into various categories.

[zmanion]

There is/was an idea/effort to create a User Registry. Not sure of the current state of this. Potentially the User Registry would contain needed CNA/ADP information and provide it in some useful way like an API and JSON.

Unless the User Regsitry is coming soon, I'd still support a "single JSON file," just noting that the User Registry could be a thing.